And if you're using FreeBSD with a fast NIC, look into the pfilctl command and use a "head" input hook into your NIC driver's ethernet input handling routine. Doing this allows the firewall input checks to happen early, before the packet has been received into the network stack, while its still in DMA-mapped, driver-owned buffers. If the firewall decides a packet is to be dropped, the NIC can recycle the buffer with minimal overhead (skips DMA-unmap, buffer free, ethernet input into the IP stack, and the replacement buffer alloc, DMA map).
This allows for very fast dropping of DOS flood attacks. I've tested this using ipfw up to screening and dropping several 10s of millions of packets on 2014 era Xeons with minimal impact to traffic serving. I wrote a paper about this for a conf. that was cancelled due to COVID. I really need to re-submit it someplace.
This works for Mellanox, Chelsio, and NICs that use iflib (ix, ixl, igb, bnxt, and more that I'm forgetting).
I'm picturing that scene a few episodes into the soul art anime - I barely remember it but the main character was so overpowered, he was standing there absorbing a full barrage from a much lower ranked opponent flooding him with punches and kicks; the main character's health regenerated so quickly that the attack didn't have effects.
In 2014 I was working on a hardware appliance for a company that has something to do with packet capture, and I found an intel driver that implemented a ring buffer on a 1 gigabit Ethernet adapter that allowed me to capture line rate without dropping a single packet over the course of hours; prior to this the adapter was barely able to capture 90% of the packets. I remember marveling at the design that must have gone into it, and here too to your description of this performance improvement.
But don’t have to cobble together a bunch of arcane iptables commands and then combine bpf and other userland tools … when one can just use the clean syntax of PF especially for home use that’s a clear win.
I've used both extensively and I find eBPF+iptables (and sometimes nft) significantly more flexible and easier to use in the real world (not just simple examples) than PF. shrug
I have -- I let the OpenBSD firewalls take care of it :P
Seriously though it's something I need to get familiar with, I do still have plenty of Linux boxes that face the public Internet and are currently dependent on iptables/ip6tables rulesets. The problem is I'm currently masking that pain with Ansible.
There is definite lack of a declarative tool that glues it all.
Typical hardware switches and routers just have one (sometimes expanded by includes/macros but still) config syntax to control every part of networking stack.
So you can configure interface and set its vlans all in one place instead of creating a dozen of ethX.Y devices then crerating a bunch of brY bridges and then attaching the interfaces to them
In linux instead you'd be using iproute2 set of tools to configure interfaces and static routing, iptables for IP ACLs, ebtables for ethernet ACLs (or now nftables I guess), without any tool to apply/revert changes at once
Many tried doing that but IMO haven't seen anything good.
Many also try to "simplify" iptables and all it ends up is me being annoyed coz I know which iptables commands I need to run but I need to translate it back into "higher" level config syntax. One exception being ferm ( http://ferm.foo-projects.org/ ), because it keeps iptables-like keywords just expands on that, but it is iptables only and kinda superseded by nftables syntax anyway.
iptables/ebtables is deprecated even in RHEL. While people are free to continue not to transition to nftables complaining about problems with iptables after a decade of its replacement is a bit silly.
This allows for very fast dropping of DOS flood attacks. I've tested this using ipfw up to screening and dropping several 10s of millions of packets on 2014 era Xeons with minimal impact to traffic serving. I wrote a paper about this for a conf. that was cancelled due to COVID. I really need to re-submit it someplace.
This works for Mellanox, Chelsio, and NICs that use iflib (ix, ixl, igb, bnxt, and more that I'm forgetting).